What Is a DDoS Attack?

A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with excessive traffic. The potency of DDoS attacks stems from their ability to marshal vast numbers of hijacked devices—including personal computers and IoT devices^[1]—which collectively function as a botnet. These compromised devices simultaneously unleash requests in volume so that the target cannot distinguish between legitimate users and the onslaught orchestrated by attackers.

Unlike other forms of cyber-attacks aimed at data theft or espionage, the primary goal of a DDoS attack is simple yet destructive: to render the targeted online presence inoperable, thereby denying access to real users and effectively taking services offline. By exploiting multiple sources to generate a high-traffic attack, these incidents pose significant challenges for defence mechanisms that struggle to screen out harmful input without affecting normal operations.

DDoS attacks represent a formidable and increasingly common threat to the stability of digital services, causing disruption by inundating networks with traffic far beyond their capacity.

A DDoS attack leverages an army of compromised devices—collectively known as a botnet—to launch an orchestrated flood of traffic to overwhelm the target’s resources. These machines are often unsuspecting victims themselves, co-opted into the botnet through malware infections that leave them subject to remote commands without their owners’ knowledge.

The steps involved in executing a DDoS attack typically include:

• Botnet Assembly: Cyber-attackers develop or expand upon a network of hijacked computers or other internet-connected devices (a botnet), often enlisting thousands or even millions of bots.
• Command Control: The attackers utilise Command-and-Control (C2) servers to direct this legion of bots. These servers act as puppeteers, coordinating the actions across all compromised units.
• Traffic Generation: Once instructed by C2 servers, each device within the botnet contributes its share towards generating vast quantities of bogus data requests or packets—all intended for the targeted system.
• Assault on Target: As this torrential downpour escalates, it engulfs server bandwidth and computational power, the objective being not just to slow service but to render it entirely unresponsive.

There are several types or vectors of DDoS attacks:

• Volumetric Attacks: This most prevalent form simply saturates every channel leading to the victim with massive amounts of data—from seemingly legitimate request floods like UDP packets to artificial ICMP echo demands designed solely for scale.
• Protocol Attacks: By manipulating weaknesses inherent in communication protocols such as TCP/IP—including SYN floods, which exploit handshake vulnerabilities—they sap away network equipment strength until failure occurs.
• Application-layer Attacks: These insidious strikes focus narrowly yet potently on specific application functions, sending waves upon waves of crafty request patterns meant only to be partially valid so that processing them rapidly drains disproportionately sized resource pools.

Countering such threats necessitates vigilant network traffic monitoring and robust cybersecurity systems in place. These systems should not only spot potential attacks but also stop them before they cause harm.

DDoS attacks can indeed be classified based on the specific layer of a computer network they target, with each type utilising distinct methodologies to achieve disruption.

1. Network Layer (Layer 3): The goal at this level is typically to exhaust the target’s bandwidth capacity, which can cripple network operations.

• ICMP Floods: Overwhelm the target with ICMP Echo Request (ping) packets.
• UDP Floods: Send large numbers of UDP packets to random ports on a remote host.
• Smurf Attacks: Amplify network traffic by exploiting IP broadcast addressing.

2. Transport Layer (Layer 4): At this stratum, attackers aim for server or device resource depletion—specifically those involved in establishing connections and data transfer processes.

• SYN Floods: Exploit TCP connection sequence by not completing handshakes.
• TCP Connection Attacks: Exhaust all available connections; no more legitimate users can connect.
• UDP Storms: Create high packet rates using UDP datagrams leading to denial-of-service conditions.

3. Application Layer (Layer 7): These sophisticated attacks directly target the services that users interact with, aiming to disrupt specific functions or features of web applications by overwhelming them with a flood of seemingly legitimate requests.

• HTTP Floods: Inundate web servers with excessive standard HTTP requests, such as GET or POST commands.^[2]
• CMS-Based Attacks: Exploit vulnerabilities in content management systems like WordPress, using their themes and plugins as entry points for attack.
• SQL Injection: Insert malicious SQL statements into input fields, manipulating databases to exhaust resources or retrieve sensitive data.

Multi-vector DDoS attacks present a complex challenge because they employ multiple strategies simultaneously across different network layers. Launching diverse types of floods—like SYN floods combined with HTTP request storms—creates chaotic situations that are challenging for defenders to resolve quickly.

Recognising a DDoS attack amid the flow of internet traffic requires vigilance and an understanding of typical network behaviour. Here are key indicators that may signal such an assault is underway:

• Unusual Traffic Spikes: An abrupt surge in traffic, disproportionately from unrecognised or dubious IP addresses, often serves as the first red flag for a potential DDoS incident.
• Degraded Website Performance: If your site or server suddenly slows down without explanation, this degradation could be symptomatic of the strain imposed by a burgeoning DDoS attack.
• Escalating Bounce Rates: When users leave your website more frequently and quickly than usual—especially if it’s due to pages failing to load promptly—it might suggest disruptions typical of DDoS attacks are driving them away.
• Anomalous Traffic Patterns: Vigilant monitoring can unveil atypical patterns such as repetitive requests from singular IPs or unusual influxes originating from specific geographic locations—both indicative signs pointing towards orchestrated attacks rather than random spikes in visitor numbers.
• DNS or Network Infrastructure Disruptions: Experiencing trouble with domain name resolution, unexplained network routing issues, or anomalies within your network’s infrastructure can indicate a DDoS attack. Such disruptions can be orchestrated to create bottlenecks and confusion in traffic management, often serving as precursors to more extensive DDoS impacts.

To bolster identification efforts, consider implementing advanced analytical tools designed specifically for detecting aberrations within data flows; these can help discern between legitimate increases in interest versus malicious overloads intended to compromise system integrity. Additionally, establishing clear baselines for what constitutes “normal” will enhance your capacity to spot deviations swiftly.

The first documented DoS-style attack occurred during the week of February 7, 2000, when “mafiaboy”, a 15-year-old Canadian hacker, orchestrated a series of DoS attacks against several e-commerce sites, including Amazon and eBay. The attacks crippled internet commerce. The FBI estimated that the affected sites suffered $1.7 billion in damages.^[3]

Other earlier DDoS attacks had political purposes. Russia was believed responsible— though it hasn’t been proven—for the 2007 cyber-attacks in Estonia, Georgia in 2008, and Ukraine in 2014 and 2015, during times of conflict in the region.^[4]

Among the world’s largest DDoS attacks was the 2018 attack on GitHub, a software development platform and subsidiary of Microsoft. GitHub was recognised as sustaining the largest distributed denial of service (DDoS) attack that same year, which involved a 129.6 million packets per second (PPS) attack against the site.

But in January of 2019, Imperva, a cybersecurity software and services provider, disclosed that one of its clients sustained a DDoS attack in which 500 million PPS were directed at its network or website. And in April of that year, Imperva reported an even larger PPS attack on another client that surpassed the January record, peaking at 580 million PPS.^[5]

To bolster defences against the relentless threat of DDoS attacks, adopting a multi-faceted approach is essential. The following strategies can provide robust protection and help maintain continuity during such cyber assaults:

• Document Your DDoS Resiliency Plan: Craft a detailed response strategy that delineates roles, procedures, and steps to sustain operations amidst an ongoing attack.
• Proactive Monitoring for Attack Patterns: Establish continuous surveillance over network traffic to detect anomalies early on. This involves scrutinising both volume and type of traffic for irregularities.
• Minimise Exposure of Attack Surface: Once a device is infected, it may attempt to self-propagate the botnet malware by recruiting other hardware devices in the surrounding network.^[6] Tighten your network’s entry points by closing unnecessary ports and disabling unneeded services—restrict paths that could potentially be exploited.
• Implement Rate Limiting Controls: Set thresholds for incoming requests to prevent servers from being swamped; rate-limiting acts as a buffer against sudden spikes in traffic aiming to exhaust resources.
• Utilise Content Delivery Networks (CDNs): CDNs not only accelerate content delivery globally but also disperse incoming load across multiple nodes, making it harder for attackers to pinpoint critical infrastructure components.
• Deploy Web Application Firewalls (WAFs): WAFs act as gatekeepers by filtering out malicious data packets before they reach your applications or websites. This layer of defence is especially crucial at the application layer, where specific software vulnerabilities may be targeted.
• Partner with DDoS Protection Providers: Collaborate with ISPs or specialised third-party services offering bespoke DDoS mitigation solutions tailored to promptly foresee, identify, and neutralise threats.
• Vigilant Log Analysis: Consistently reviewing system logs provides insights into suspicious activities that could be precursors or indicators of an active DDoS campaign targeting your systems.
• Automated Response Systems: Employ technologies capable of immediate detection and automated countermeasures upon identifying attack patterns—a swift reaction often mitigates potential damage without necessitating human intervention.
• Train Your People: Most malware attacks target people, not your infrastructure. This shift calls for a people-centric approach to security awareness training and protecting your environment.

According to the Proofpoint 2023 Human Factor report, more than 99% of malware requires some form of user interaction.^[7] Email is a primary tactic used by attackers to establish access. Integrating these practices within your cybersecurity framework fortifies your organisation against the disruptive force wielded by modern-day DDoS attacks while preserving service availability even under duress.

For large organisations, governmental agencies, and educational institutions alike, minimising the attack vectors that cybercriminals use in carrying out DDoS attacks is vital. Partnering with a leading cybersecurity provider like Proofpoint can shield against these threats through a strategic combination of advanced technology and human-centred awareness.

As part of a comprehensive defence strategy, organisations often need a multi-layered approach to DDoS protection. This centres on creating a DDoS attack threat model and developing a structured approach to identify potential risks to online services, including defining assets to protect and potential attackers.

Within the scope of this multi-layered defence strategy, Proofpoint offers several products that help prevent DDoS attacks, including:

• Targeted Attack Protection (TAP): Helps detect, mitigate, and block advanced threats containing malicious attachments and URLs targeting people through emails and cloud apps like Microsoft Office 365 and Google G Suite. TAP provides visibility of Very Attacked People (VAPs) within organisations and allows for the rewriting of embedded URLs to protect users on any device.
• Remote Browser & Email Isolation: Enable users to access personal webmail from corporate devices without security concerns, integrated with TAP for added security for Very Attacked People (VAPs). Additionally, protect all web browsing activities for end users, providing a secure and anonymous web browsing service that is easy for IT teams to deploy and manage.
• Cloud Security Solutions: Provides secure access to web and cloud services with access control, threat protection, data security, security monitoring, and acceptable-use control. This solution protects people and data by offering visibility into cloud risks, automating threat and data protection, enabling safe access to the web and cloud applications, and protecting data against threats and negligence.

These are just a few of the products in Proofpoint’s arsenal that play a crucial role in enhancing an organisation’s defence against DDoS attacks. Proofpoint can also help train staff members through effective security awareness training and other measures to establish an impenetrable network. For more information, contact Proofpoint.

[1] Cloudflare. “What Is a DDoS Attack?”
[2] Steve Weismann, NortonLifeLock. “What is a distributed denial of service attack (DDoS), and what can you do about them?”
[3] Encyclopedia Brittanica.
[4] Ibid.
[5] Casey Crane, Hashed Out. “The Largest DDoS Attacks in History”
[6] Cloudflare. “What Is a DDoS Botnet?”
[7] Proofpoint. “Human Factor Report”